Issue:
When performing a DCDIAG, you get a warning with output:
Warning: Attribute userAccountControl of DC is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication?
Cause:
The computer account was pre-created in Active Directory Users and Computers (ADUC) before being added to the domain and promoted as a domain controller.
Fix 1:
- Launch ADSI Edit and connect to the Default Naming Context
- Drill down into the Domain Controllers OU
- Double-click the domain controller and in the Attribute Editor tab, scroll down to userAccountControl
- You will likely see the value set to something like:
0x82020 = (PASSWD_NOTREQD...
- Highlight the value and click Edit
- Change the value in the edit box from 532512 to 532480
- Click OK and OK again to save the changes
Now running DCDIAG should show this error to have been cleared.
Fix 2:
You can use an elevated PowerShell session to automate the process of the above steps in Fix 1 to all domain controllers in the Domain Controllers OU.
Change the -searchbase criteria in the below and execute:
get-adobject -filter "objectcategory -eq 'computer'" -searchbase "ou=Domain Controllers,dc=domain,dc=tld" -searchscope subtree -properties distinguishedname,useraccountcontrol | select distinguishedname, name, useraccountcontrol | where {$_.useraccountcontrol -ne 532480} | %{set-adobject -identity $_.distinguishedname -replace @{useraccountcontrol=532480} -whatif}
Even if the above command fails to fix the values, it will at least list servers with the incorrect values – handy where there are numerous domain controllers present.
Extra Information:
Some typical values:
- Standard user: 0x200 (512)
- Domain controller: 0x82000 (532480)
- Workstation / member server (non-DC): 0x1000 (4096)